Cisco Cisco Firepower Management Center 4000 Entwickleranleitung

The following table describes the fields in the Intrusion Event Extra Data record.

The eStreamer service transmits the event extra data metadata associated with intrusion event extra data 
records in the Intrusion Event Extra Data Metadata record. The record type is always 

111

.

The event extra data metadata appears in an encapsulated Event Extra Data Metadata data block, which 
always has a data block type value of 

5

. The Event Extra Data data block is a series 2 data block.

If bit 20 is set in the Request Flags field of a request message, you receive the event extra data metadata. 
If you want to receive both intrusion events and event extra data metadata, you must set bit 2 as well. 
See 

. If you enable bit 23, an extended event header is included in the record.

Event Extra Data 
Data Block Type

uint32

Initiates an Event Extra Data data block. This value is always 

4

. 

The block type is a series 2 block; for information see 

. 

Event Extra Data 
Data Block Length

uint32

Length of the data block. Includes the number of bytes of data 
plus the 8 bytes in the two data block header fields.

Device ID

uint32

The managed device identification number.

Event ID

uint32

The event identification number.

Event Second

uint32

UNIX timestamp of the event (seconds since 01/01/1970).

Type

uint32

Identifier for the type of extra data; for example:

1

 - XFF client (IPv4)

2

 - XFF client (IPv6)

9

 - HTTP URI

BLOB Block Type

uint32

Initiates a BLOB data block containing extra data. This value is 
always 

1

. The block type is a series 2 block. 

Length

uint32

Total number of bytes in the BLOB data block.

Extra Data

variable

The content of the extra data. The data type is indicated in the 
Type field. 

Byte

0

1

2

3

Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Header Version (1)

Message Type (4)

Message Length

Record Type (111)

Record Length